[BreachExchange] How Do You Secure a Constantly Changing IT Landscape?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 1 20:20:17 EDT 2018


https://www.infosecurity-magazine.com/opinions/constantly-changing-it-landscape/

Security doesn’t work if all we’re doing is trying to keep pace with an
ever-evolving landscape of threats and cyber-attacks – you’ll always be one
step behind. Cybersecurity is a hot topic, not just in large enterprise and
government organizations, but has now found its way to the kitchen table
and is something we all have an opinion on. After all, bad cybersecurity
habits affect us all.

Just simply reacting to new threats doesn’t work – but unfortunately this
is how many organizations are currently operating. To counteract this, the
best approach is to architect security into information technology systems
from the start. Easier said than done - but with advanced technologies and
new capabilities, provided by cloud and mobile computing, this is now not
only feasible but essential too.

In 2016 there were over 4,000 ransomware attacks every single day, and
that’s without mentioning the devastating effects of breaches like WannaCry
where hospitals were blocked from accessing essential data like patient
records. Of course, in reaction, cybersecurity spend has risen (in 2017 to
over $86.4 billion) and organizations are adding layers of security over
their systems.

The elephant in the room that is still leaving organizations vulnerable to
attack is mindset. Outdated systems, no matter how many layers of bubble
wrap companies blanket them in, are still outdated.

With breaches occurring at an alarming rate, and on such large scales too,
it’s time for organizations to make sure they’re practicing basic cyber
hygiene and protecting their crown jewels – mission critical business
applications and data.

What is cyber hygiene?
In short, the simple principles every organization with an IT system needs
to be aware of, and implementing, on a day-to-day basis. These can be
broken down into five core principles. These aren’t new ideas, but
sometimes they’re forgotten, and protocols aren’t always updated to keep
cyber armor ‘chink-free’:

Least Privilege - Just because you trust everyone in a business doesn’t
mean that the receptionist needs the same access levels as the CEO. Giving
users minimum necessary access leaves the most valuable data vulnerable to
far fewer breach points. Hotels don’t give guests a key for every room in
the hotel so why should his be any different?
Micro Segmentation - We don’t use drawbridges and castle walls anymore for
a reason – they give a false sense of security and encourage lax approaches
to security within the walls. Once an attacker infiltrates the
outer-defense the threat’s inside and there’s nowhere to hide. Breaking
down a network into layers and self-contained areas keeps the entire system
protected, and ensures access points aren’t left vulnerable to attack.
Don’t neglect the perimeter and don’t rely on that alone.
Encryption - Think of encryption as the last weapon in an arsenal against
hackers – except with cyber security it keeps you ahead of the game. If all
else fails and firewalls and access protocols are breached, encryption
means that all the critical data stored is useless to them. Like a Rubix
cube, if you don’t know how to decode it and put it back together,
encrypted data is a difficult puzzle to crack. Basic cyber hygiene means
encrypting files and data before sharing.  The same applies to encrypting
network traffic wherever possible.
Multi-factor authentication - From thumb-print ID to facial recognition,
security is becoming personal. But even implementing basic two-factor
authentication stops the first wave of breaches. And, the more personal
authentication gets, the more secure networks will be. After all, your
thumbprint is much more difficult to steal than a pin code.
Patching - Systems require updates for a reason. Every time malware gets
more advanced service providers respond with system and software updates.
Don’t remain in the past. Upgrade and update to stay ahead of the
attacker’s game.

Understanding these principles is one thing – but implementing them is
critical. Everyone in an organization should understand why cyber hygiene
is critical, but more importantly, IT managers and business decision makers
need to understand how to implement these principles.

Just like brushing your teeth or washing your hands, good cyber hygiene
habits protect everyone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181001/bb27da9c/attachment.html>


More information about the BreachExchange mailing list